feat: add Cursor, Codex, and OpenCode harnesses — maximize every AI coding tool

- AGENTS.md: universal cross-tool file read by Claude Code, Cursor, Codex, and OpenCode
- .cursor/: 15 hook events via hooks.json, 16 hook scripts with DRY adapter pattern,
  29 rules (9 common + 20 language-specific) with Cursor YAML frontmatter
- .codex/: reference config.toml, Codex-specific AGENTS.md supplement,
  10 skills ported to .agents/skills/ with openai.yaml metadata
- .opencode/: 3 new tools (format-code, lint-check, git-summary), 3 new hooks
  (shell.env, experimental.session.compacting, permission.ask), expanded instructions,
  version bumped to 1.6.0
- README: fixed Cursor section, added Codex section, added cross-tool parity table
- install.sh: now copies hooks.json + hooks/ for --target cursor

examples/sessions/2026-01-17-debugging-memory.tmp

@@ -1,54 +0,0 @@
-# Session: Memory Leak Investigation
-**Date:** 2026-01-17
-**Started:** 09:00
-**Last Updated:** 12:00
-
----
-
-## Current State
-
-Investigating memory leak in production. Heap growing unbounded over 24h period.
-
-### Completed
-- [x] Set up heap snapshots in staging
-- [x] Identified leak source: event listeners not being cleaned up
-- [x] Fixed leak in WebSocket handler
-- [x] Verified fix with 4h soak test
-
-### Root Cause
-WebSocket `onMessage` handlers were being added on reconnect but not removed on disconnect. After ~1000 reconnects, memory grew from 200MB to 2GB.
-
-### The Fix
-```javascript
-// Before (leaking)
-socket.on('connect', () => {
-  socket.on('message', handleMessage)
-})
-
-// After (fixed)
-socket.on('connect', () => {
-  socket.off('message', handleMessage) // Remove old listener first
-  socket.on('message', handleMessage)
-})
-
-// Even better - use once or cleanup on disconnect
-socket.on('disconnect', () => {
-  socket.removeAllListeners('message')
-})
-```
-
-### Debugging Technique Worth Saving
-1. Take heap snapshot at T=0
-2. Force garbage collection: `global.gc()`
-3. Run suspected operation N times
-4. Take heap snapshot at T=1
-5. Compare snapshots - look for objects with count = N
-
-### Notes for Next Session
-- Add memory monitoring alert at 1GB threshold
-- Document this debugging pattern for team
-
-### Context to Load
-```
-src/services/websocket.js
-```

examples/sessions/2026-01-19-refactor-api.tmp

@@ -1,43 +0,0 @@
-# Session: API Refactor - Error Handling
-**Date:** 2026-01-19
-**Started:** 10:00
-**Last Updated:** 13:30
-
----
-
-## Current State
-
-Standardizing error handling across all API endpoints. Moving from ad-hoc try/catch to centralized error middleware.
-
-### Completed
-- [x] Created AppError class with status codes
-- [x] Built global error handler middleware
-- [x] Migrated `/users` routes to new pattern
-- [x] Migrated `/products` routes
-
-### Key Findings
-- 47 endpoints with inconsistent error responses
-- Some returning `{ error: message }`, others `{ message: message }`
-- No consistent HTTP status codes
-
-### Error Response Standard
-```javascript
-{
-  success: false,
-  error: {
-    code: 'VALIDATION_ERROR',
-    message: 'Email is required',
-    field: 'email'  // optional, for validation errors
-  }
-}
-```
-
-### Notes for Next Session
-- Migrate remaining routes: `/orders`, `/payments`, `/admin`
-- Add error logging to monitoring service
-
-### Context to Load
-```
-src/middleware/errorHandler.js
-src/utils/AppError.js
-```

examples/sessions/2026-01-20-feature-auth.tmp

@@ -1,76 +0,0 @@
-# Session: Auth Feature Implementation
-**Date:** 2026-01-20
-**Started:** 14:30
-**Last Updated:** 17:45
-
----
-
-## Current State
-
-Working on JWT authentication flow for the API. Main goal is replacing session-based auth with stateless tokens.
-
-### Completed
-- [x] Set up JWT signing with RS256
-- [x] Created `/auth/login` endpoint
-- [x] Added refresh token rotation
-- [x] Fixed token expiry bug (was using seconds, needed milliseconds)
-
-### In Progress
-- [ ] Add rate limiting to auth endpoints
-- [ ] Implement token blacklist for logout
-
-### Blockers Encountered
-1. **jsonwebtoken version mismatch** - v9.x changed the `verify()` signature, had to update error handling
-2. **Redis TTL for refresh tokens** - Was setting TTL in seconds but passing milliseconds
-
-### Key Decisions Made
-- Using RS256 over HS256 for better security with distributed services
-- Storing refresh tokens in Redis with 7-day TTL
-- Access tokens expire in 15 minutes
-
-### Code Locations Modified
-- `src/middleware/auth.js` - JWT verification middleware
-- `src/routes/auth.js` - Login/logout/refresh endpoints
-- `src/services/token.service.js` - Token generation and validation
-
-### Notes for Next Session
-- Need to add CSRF protection for cookie-based token storage
-- Consider adding fingerprinting for refresh token binding
-- Review rate limit values with team
-
-### Context to Load
-```
-src/middleware/
-src/routes/auth.js
-src/services/token.service.js
-```
-
----
-
-## Session Log
-
-**14:30** - Started session, goal is JWT implementation
-
-**14:45** - Set up basic JWT signing. Using RS256 with key pair stored in env vars.
-
-**15:20** - Login endpoint working. Discovered jsonwebtoken v9 breaking change - `verify()` now throws different error types. Updated catch block:
-```javascript
-// Old (v8)
-if (err.name === 'TokenExpiredError') { ... }
-
-// New (v9)
-if (err instanceof jwt.TokenExpiredError) { ... }
-```
-
-**16:00** - Refresh token rotation working but tokens expiring immediately. Bug: was passing `Date.now()` (milliseconds) to `expiresIn` which expects seconds. Fixed:
-```javascript
-// Wrong
-expiresIn: Date.now() + 900000
-
-// Correct
-expiresIn: '15m'
-```
-
-**17:30** - Auth flow complete. Login -> access token -> refresh -> new tokens. Ready for rate limiting tomorrow.
-
-**17:45** - Saving session state.